From owner-freebsd-questions@FreeBSD.ORG Sat Jul 9 20:05:52 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A217106566C for ; Sat, 9 Jul 2011 20:05:52 +0000 (UTC) (envelope-from kline@thought.org) Received: from thought.org (plato.thought.org [209.180.213.209]) by mx1.freebsd.org (Postfix) with ESMTP id 171F28FC1B for ; Sat, 9 Jul 2011 20:05:51 +0000 (UTC) Received: by thought.org (Postfix, from userid 1001) id 3F647E8067E; Sat, 9 Jul 2011 13:05:51 -0700 (PDT) Date: Sat, 9 Jul 2011 13:05:51 -0700 From: Gary Kline To: Matthew Seaman Message-ID: <20110709200551.GB3798@thought.org> References: <20110707180041.GA90387@thought.org> <20110708055837.GA21564@thought.org> <4E16C779.6000607@infracaninophile.co.uk> <20110708220452.GB26712@thought.org> <4E180DDD.1020505@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E180DDD.1020505@infracaninophile.co.uk> Organization: Thought Unlimited. Public service Unix since 1986. Of_Interest: With 24++ years of service to the Unix community. User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-questions@freebsd.org Subject: Re: DNS and file system messed up... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2011 20:05:52 -0000 On Sat, Jul 09, 2011 at 09:14:21AM +0100, Matthew Seaman wrote: > Date: Sat, 09 Jul 2011 09:14:21 +0100 > From: Matthew Seaman > Subject: Re: DNS and file system messed up... > To: Gary Kline > CC: freebsd-questions@freebsd.org > > On 08/07/2011 23:04, Gary Kline wrote: > > On Fri, Jul 08, 2011 at 10:01:45AM +0100, Matthew Seaman wrote: > >> Date: Fri, 08 Jul 2011 10:01:45 +0100 > >> From: Matthew Seaman > >> Subject: Re: DNS and file system messed up... > >> To: freebsd-questions@freebsd.org > >> > >> On 08/07/2011 08:25, Doug Hardie wrote: > >>> On 7 July 2011, at 22:58, Gary Kline wrote: > >>> > >>>>>>> Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found > >>>>>>> Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf > >> > >>> The first one that fails is looking for /etc/named.conf. The second > >>> one shows its in /var/named/etc/named/named.conf > >> > >>> Those are different locations. I suspect you have named_flags setup > >>> in rc.conf pointing to /etc/namedb/named.conf rather than the right > >>> location. Its also possible that its not set in rc.conf but defaults > >>> in either the rc script or /etc/rc.d/named. On my system it appears > >>> to default in /etc/rc.d/named. > >> > >> FreeBSD defaults to running named chrooted. /etc/namedb is actually a > >> symbolic link: > > > > > > hi matthew, > > > > i found an in-depth post you wrote re mtree yesterday ( 07july ), > > but i figured it was over my head in resetting anything i might need > > to reset. i was going to write you offlist. decided to ask the > > entire list. > > > > > >> > >> % ls -la /etc/namedb > >> lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ -> > >> /var/named/etc/namedb > >> > >> so the files referenced are in fact exactly the same file. However, the > >> flags from the log extract don't look like the defaults to me. (I'm > >> running the dns/bind98 port, and the equivalent info from the log line > >> is '-t /var/named -u bind') > > > > > > i was using bind98 rather than the earlier bind9 which is out of > > date. but bind98 gave me troubles with the rndc.key and other, so i > > chose to go back with what worked. --first thing is to get this > > working with the older bind9. FWIW, both bind9's given me the same > > error and failure. i have walked thru the named script to the point > > where it creates the symlink. regardless, i cannot understand the > > error and failure messages. i only know that my kill -9 and my > > initialization "by hand" work. > >> > >> Gary, what named related settings do you have in /etc/rc.conf? You > >> almost certainly don't need anything more than: > >> > >> named_enable="YES" > >> > >> and perhaps > >> > >> syslogd_flags="-ss -l /var/named/var/run/log" > >> > >> so named can log to the system syslog. > > > > > > Hmmm [&c]. as you may have seen in my post to Doug H. i only have > > > > > > -- > > > > named_enable="YES" > > named_program="/usr/local/sbin/named" > > named_pidfile="/var/run/named/pid" > > OK. The good news is that the configuration that works for the system > built-in version of named will work for the dns/bind98 port with very > minor changes, if any. > > First: where everything should live > > /etc/namedb/named.conf --- named's config file > /etc/namedb/master --- zone files this server is master for > /etc/namedb/slave --- zone files this server slaves from > another master (rw by named) > /etc/named/working --- named's working directory (rw by named) > /etc/rndc.conf --- config file for rndc > > There are various other files and directories under /etc/namedb which > you may or may not need depending on how you configure named; in any > case, just leave them in their default locations and with the > permissions the system gives them. (You can use mtree(8) to fix them up > if necessary -- but that's a whole other posting) > > Now, although named defaults to running chrooted into /var/namedb, you > don't need to mention that path explicitly anywhere in the config. In > fact, you should think about the configuration as if there was no > chrooting happening at all. > > Second: rc.conf settings > > named_enable="YES" > syslogd_flags="-ss -l /var/named/var/run/log" > > should be all you need to use the built-in version of named. > > Third: rndc configuration > > Generate a new rndc key and a config file by: > > # rndc-confgen > /etc/named/rndc.conf > > This should create a new file /etc/namedb/rndc.conf preconfigured to > work with the named instance on the localhost. Look at the text of > the file -- commented out there's a chunk of stuff to copy into > named.conf So let's do that. > > If the file contains: > > # key "rndc-key" { > # algorithm hmac-md5; > # secret "0ABCDE123+45+67890=="; > # }; > # > # controls { > # inet 127.0.0.1 port 953 > # allow { 127.0.0.1; } keys { "rndc-key"; }; > # }; > > Then copy that without the '#' quotes into named.conf In fact, I find > it helps to add a control for access to ::1 as well. So add this text > to /etc/namedb/named.conf: > > key "rndc-key" { > algorithm hmac-md5; > secret "0ABCDE123+45+67890=="; > }; > > controls { > inet 127.0.0.1 port 953 > allow { 127.0.0.1; } keys { "rndc-key"; }; > inet ::1 port 953 > allow { ::1; } keys { "rndc-key"; }; > }; > > Fourth: set up named.conf > > As I don't no much about the config you want, I'm going to have to keep > this to generalities. > > In the options section you should have some standard boiler-plate: > > options { > directory "/etc/namedb/working"; > pid-file "/var/run/named/pid"; > dump-file "/var/dump/named_dump.db"; > statistics-file "/var/stats/named.stats"; > memstatistics-file "/var/stats/named.memstats"; > > For security purposes you can turn off named's built-in version display etc. > > version none; > hostname none; > server-id none; > > Also for security purposes, configure named to use as many UDP ports as > possible: > > use-v4-udp-ports { range 1024 65535; }; > use-v6-udp-ports { range 1024 65535; }; > > There's a bunch of other stuff I could talk about to go into options, > but that's a matter of individual choice and this message is long enough > already. One of the more important things I'm glossing over is the > 'recursion' setting -- this needs to be carefully restricted to only > being available to your own network, as there are plenty of nasty > attacks that are enabled by opening recursion to the world. > > When it comes to zone file statements, on slight gotcha is that you > should give /absolute/ filenames -- that's a consequence of the > 'directory' setting above. Remember the bit about pretending that > chrooting isn't happening? It applies here. So, for instance, > you'ld want something like this for localhost: > > zone "localhost" > { > type master; > file "/etc/namedb/master/localhost-forward"; > }; > zone "127.in-addr.arpa" > { > type master; > file "/etc/namedb/master/localhost-reverse"; > }; > > // RFC 1912-style zone for IPv6 localhost address > zone "0.ip6.arpa" > { > type master; > file "/etc/namedb/master/localhost-reverse"; > }; > > Those zone files should be present as part of the standard system. > Note: you can use ACLs and/or views to control access to these localhost > zones. It's only your local trusted clients that need any access. > > For zones that you are serving to the general public -- ie. the zones > you are authoritative for, you'ld have something like this: > > zone "infracaninophile.co.uk" { > type master; > file "/etc/namedb/master/infracaninophile.co.uk"; > allow-query { > any; > }; > allow-transfer { > secondaries; > }; > }; > > Fifth: testing > > Use named-checkconf to test that your config is going to work: > > # named-checkconf /etc/namedb/named.conf && echo "Everything is OK" > > If named-checkconf prints anything out, that's a problem which needs to > be fixed. named-checkconf remaining silent is a good sign. > > Sixth: start named up > > # /etc/rc.d/named start > > Look at the logging output in /var/log/messages to check everything is > running OK, and test that rndc works by 'rndc status' > > Seventh: there is no seventh. > > Well, actually, changes you would need to make to use the dns/bind98 > port. Very few. > > Check that /usr/local/etc/rndc.conf is a symlink to /etc/named/rndc.conf > -- this should be created automatically when you install the port. > > Use /usr/local/sbin/named-checkconf to verify that your named.conf is OK > with the newer named version. Unless you're using DNSSEC it almost > certainly will be. > > Stop named running and add > > named_program="/usr/local/sbin/named" > > to /etc/rc.conf Restart named. Done. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > Matthew, Adding the new rndc.conf (and adjusting for the two "options { }" seems to have fixed things. From the messages file, where before, an individual shell script got things going, looks like so: Jul 9 12:32:44 ethic named[14181]: starting BIND 9.3.6-P1 -c /etc/namedb/named.conf -t /var/named -u bind Jul 9 12:32:44 ethic named[14181]: /etc/namedb/named.conf:107: 'options' redefined near 'options' Jul 9 12:32:44 ethic named[14181]: loading configuration: already exists Jul 9 12:32:44 ethic named[14181]: exiting (due to fatal error) Jul 9 12:34:32 ethic named[14264]: starting BIND 9.3.6-P1 -c /etc/namedb/named.conf -t /var/named -u bind Jul 9 12:34:33 ethic named[14264]: command channel listening on 127.0.0.1#953 Jul 9 12:34:33 ethic named[14264]: the working directory is not writable Jul 9 12:34:33 ethic named[14264]: running The pid 14181 was with the options{} that rndc.conf had. There was an earlier bracketed list with the same name. Once I yanked that and fired off /etc/rc.d/named restart, the pid == 14264 actually worked. Bear in mind that I'm used FBSD as my server and Ubuntu as my desktop. ...I'Ll attach/append my amed.conf and if you have time I would be very grateful for any feedback you care to offer, time permitting. --For my next trick, I'll build bind98 and see what breaks. . There were a boatload of error haveing to do with some type of key information. bing98 listed the key number in /var/log/messages. That was why I went back to my elderly [and outdated bind9-3.6. DO I=1, ZILLION write "thanks much! END gary Attached: ./named.conf // $FreeBSD: src/etc/namedb/named.conf,v 1.26 2007/08/17 04:37:02 dougb Exp $ // // Refer to the named.conf(5) and named(8) man pages, and the documentation // in /usr/share/doc/bind9 for more details. // // If you are going to set up an authoritative server, make sure you // understand the hairy details of how DNS works. Even with // simple mistakes, you can break connectivity for affected parties, // or cause huge amounts of useless Internet traffic. acl "thoughts" { 10.47.0.0/24; # network addresses of thought.org 10.47.47.0/24; # inbound remote vpn network 127.0.0.1; # allow loop back }; // // Access Control Lists // acl "dfwlp" { 192.168.125.0/24; # Jonathan Horne's Network (DFW) }; acl "daniel bye" { 69.55.236.116/24; # Daniel Bye's Network (N. England) }; acl "puck.nether.net" { 204.42.254.5; # Chicago Secondary IP; }; //acl "twisted4life.com" { ////202.157.182.142; # Net Secondary IP; //}; acl "ns2.afraid.org" { 174.37.196.55; # FreeDNS Site. }; options { directory "/etc/namedb"; # try again; this must be this, obviously pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; listen-on { 10.47.0.230; 127.0.0.1; }; allow-transfer { any;}; }; view "internal" { match-clients { thoughts; dfwlp; }; recursion yes; allow-transfer { any; }; #also-notify { 192.168.125.61; 192.168.125.52; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "master/localhost.rev"; }; zone "thought.org" { type master; file "master/thought.org.i.hosts"; notify yes; }; zone "0.47.10.in-addr.arpa" { type master; file "/etc/namedb/master/10.47.0.i.rev"; notify yes; }; zone "anacondabuilders.us" { type master; file "/etc/namedb/master/anacondabuilders.us.i.hosts"; notify yes; }; }; view "external" { match-clients { any; }; recursion no; zone "thought.org" { type master; file "/etc/namedb/master/thought.org.e.hosts"; allow-transfer { any;}; notify yes; }; zone "213.180.209.in-addr.arpa" { type master; file "/etc/namedb/master/213.180.209.e.rev"; allow-transfer {any;}; notify yes; }; zone "anacondabuilders.us" { type master; file "/etc/namedb/master/anacondabuilders.us.e.hosts"; allow-transfer { any; }; notify yes; }; }; # Start of rndc.conf {09 july 11} key "rndc-key" { algorithm hmac-md5; secret "oQlBFUkww47vpieGZ68DcA=="; }; ###options { ###default-key "rndc-key"; ###default-server 127.0.0.1; ###default-port 953; ###}; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; # End of named.conf